Penetration testing

One of the most common approaches in assessing the security level of an application is to simulate an attacker’s perspective with no prior knowledge on the system, hence “Black Box”. Our team of experts, try different scenarios, attack vectors and utilize hands-on as well as automated attacking techniques in order to gain as much information about the system and eventually uncover its weakest links.

Bypassing business logic at the application level, may allow the attacker to constantly win on a gambling applications, perform unlimited money transfer on banking applications etc. Detecting these types of flaws requires solid experience, creative thinking and strong intuition. Utilizing known vulnerabilities coupled with intelligence gathering capabilities allows our team of white hat hackers exploit systems on different levels.

OUR APPROACH

The Penetration Test can be performed in two methods: Invasive – when trying to exploit any vulnerability (Usually on testing environment), Non-Invasive – Vulnerabilities are only discovered and reported, they are not exploited (Usually on production environment).

Our techniques, tools and methodologies has been developed over thousands of penetration tests. We adhere to industry standards such as the OWASP top 10 as well as business logic-related application flaws that are unique and different to each application. We include all classes of WASC attacks in our tests.

DELIVERABLES

The results of a penetration test are detailed in a comprehensive report that clearly explain where your vulnerabilities are, what the risk to your business is, who may be able to exploit these vulnerability and how to best secure your application.

Our reports are aimed to both non-technical senior executives, focusing on potential risks and probability, as well as to the application developers giving an in-depth explanation regarding the way mitigate risks.

In order enable more effective discussion, and better understanding of software weaknesses detailed in our reports, we care to co correlate each vulnerability to a valid MITRE CWE ID.